Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

its short time data like 1 day. But Can splunk changes the data which was already indexed before ?? after changes in props.conf.For example: Splunk taking some unnesessary field values from csv header. I wanna remove that. I am doing changes in conf files but changes taking place after reinstall the splunk.

As "rotten" mentioned, once the data has been indexed, it cannot be changed. However, some things are not stored in the index. Those things can be changed as you wish. Below are the basics; look in the documentation for more details.

Changes to inputs.conf change how all new data will be indexed. These changes do not affect data that has already been indexed. If you want these changes to apply to all data, you will need to use the splunk clean command, as was shown in one of the other answers.

Setting the source, sourcetype or host - these affect how the data is indexed. Therefore, this is the same as changes to inputs.conf.

Defining field extractions - field definitions are not indexed; fields are built during the search process. These changes do not require that you restart Splunk. Any changes that you make to field extractions will apply to all data, regardless of when it was indexed. (BTW, you can do "index time field extractions" but don't. Use the normal, search-time field extractions - this is what Splunk recommends.)

If you are new to Splunk, I suggest that you use the web interface (the Splunk Manager) to set up your inputs, and the interactive field extractor to set up your fields. One of the nice things about using the Splunk web interface is that it will tell you if you need to restart Splunk.